Have a question about security? Found a flaw in Cypht? We want to hear from you! Drop by the #hastymail IRC channel on freenode, or send me an E-mail at jason [at] cypht [dot] org. We take security seriously. Cypht is an entirely volunteer effort, so we can't afford a bounty program. We can however promise that any security issue reported to us before release will receive a quick response, a thorough review, a sincere thanks, and an honorable mention on this page.

In the browser

By default all cookies are session level, HTTP only, and have the secure flag, path, and domain values set (except one cookie used to pass user notices to the javascript)

On the server

Oauth2 over IMAP/SMTP supported (currently only Gmail and Outlook support this feature)

Session level data is encrypted with a long random string generated on login. Data is stored server side, and the key is stored in a session level secure cookie

Persistent data stored between logins is encrypted with a key derived from your clear text password, which is obviously not stored anywhere

All encryption is done with libsodium if available, otherwsie with AES-256-CBC, encrypt-then-MAC, and PBKDF2 key derivation using OpenSSL (NOT Mcrypt)

PHP ini settings are tightened up at runtime for extra security, including open basedir and session best practices (ones writable at runtime)

No writable files or directories are used inside the web-server document root, and only 3 files need to be inside the document root to run the program. Module sets may include additional assets, such as the HTML editor for outbound mail

Optional local DB based authentication using a salt and PBKDF2 (or libsodium using Argon2 if available)

HTML formatted E-Mail is filtered through HTMLPurifier with all external resources removed before being rendered